Cryptography-Digest Digest #184, Volume #11 Wed, 23 Feb 00 00:13:01 EST
Contents:
Re: Q: Large interger package for VB? (longreply with source) (Ed Pugh)
Re: US secret agents work at Microsoft claims French intelligence report (wtshaw)
Blair Ciphers? (wtshaw)
Re: Processor speeds. ("Joseph Ashwood")
Passwords secure against dictionary attacks? (Ilya)
Re: Swapfile Overwriter: R.I.P. (Steve K)
Re: Passwords secure against dictionary attacks? (Omar Y. Inkle)
Re: Stuck on code-breaking problem - help appreciated ("Douglas A. Gwyn")
Re: John McCain Encrypt? (ChenNelson)
Re: Passwords secure against dictionary attacks? ("John Galt")
Re: Processor speeds. ("Clockwork")
Re: Passwords secure against dictionary attacks? ("Martin Paquet")
Re: Processor speeds. ("Joseph Ashwood")
Re: Passwords secure against dictionary attacks? (Ilya)
Re: Velvet Sweat Shop in Excel (Arthur Dardia)
Re: Passwords secure against dictionary attacks? ("NutWrench")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Ed Pugh)
Crossposted-To: comp.lang.basic.visual.misc,comp.lang.basic.visual.3rdparty,sci.math
Subject: Re: Q: Large interger package for VB? (longreply with source)
Date: 22 Feb 2000 22:59:35 GMT
Reply-To: [EMAIL PROTECTED] (Ed Pugh)
Thanks for your follow-up, Michael, but I do not think this is quite
what I am looking for.
It appears that the module you posted does arithmetic on large
precision decimal numbers, NOT integers (or natural numbers).
Also, it did not appear to implement the modulus operation,
which I need.
As well, I noticed that it seemed to have a "naive" implementation
of the exponentiation function which, for the sizes of exponents
I am talking about, would probably take a few millenia to execute!
Does anyone know of any better VB implementations of large integer
packages?
Michael Carton ([EMAIL PROTECTED]) wrote:
> <I trimmed the NG list.>
Why? <I added them back!>
>
> Ed Pugh wrote:
>>
>> I want to use Visual BASIC (5.0, pro ed'n, SP3) to do some
>> prototyping and experimenting with algorithms involving very
>> large natural numbers or integers.
>>
>> Does anyone know if and where I can find and download a
>> *FREEWARE* (or *UNCRIPPLED* shareware) VB class or "library"
>> that can handle arbitrarily large natural numbers or integers
>> (up to a few thousand bits long)? (And it has to work with
>> VB 5.0.)
>
> Here's something I downloaded. Free Source. I tested it with numbers
> with up to 2,090 digits. It works.
^^^^^^^^^^^^
Bet you did not try a number this size as an exponent (i.e. 2nd
parameter) for the IntPower function! ;-)
[ SNIP - VB module source code ]
Thanks and regards,
--
Ed Pugh, <[EMAIL PROTECTED]>
Richmond, ON, Canada (near Ottawa)
"Bum gall unwaith-hynny oedd, llefain pan ym ganed."
(I was wise once, when I was born I cried - Welsh proverb)
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: US secret agents work at Microsoft claims French intelligence report
Date: Tue, 22 Feb 2000 16:37:42 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Dave Hazelwood) wrote:
> I don't know. But if I was a major foreign corporation and if a
> credible foreign intelligence service came out and said what the
> French intelligence service just did I would think twice before
> betting my company's future that it wasn't true.
>
> And, especially after disclosure of the "NSAKEY" found in windows
> recently.
>
> Remember the snippet above came from a report by the French
> Intelligence Service and not some whacko fan of Skully and Moulder.
>
> The more smoke there is, the more one is willing to suspect a fire.
Figure that the French could have people capable of studying source code
after decompiling if necessary. And, perhaps even have intelligence arms
of their own to gather information.
Of course, it couold be a ploy as well as a game. No country, or company
that like to play Intrigue, is apt to put their hand on the table face-up
as long as it considers how to bluff and parry for its own advantage.
--
Regarding healthcare, when GWB became govenor, Texas was 43 in
the nation, now we are 49th. And, I need not tell you about his
bloody support of the death penalty. Reformer?
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Blair Ciphers?
Date: Tue, 22 Feb 2000 16:44:18 -0600
I understand the concept involved, but does anyone have some historical
information on this topic?
--
Regarding healthcare, when GWB became govenor, Texas was 43 in
the nation, now we are 49th. And, I need not tell you about his
bloody support of the death penalty. Reformer?
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Processor speeds.
Date: Tue, 22 Feb 2000 23:13:17 -0000
> Can you name a manufacturer?
Sega Dreamcast is the one that comes to mind, there's also
Playstation 2, and Dolphin fairly soon. The problem I see is
the available memory, generally <=8MB
Joe
------------------------------
From: Ilya <[EMAIL PROTECTED]>
Subject: Passwords secure against dictionary attacks?
Crossposted-To: comp.security.misc,alt.security.pgp
Date: Tue, 22 Feb 2000 23:29:35 GMT
Is it secure to take two words and join them together, such as:
crypto/life cyber@machine green-dog Loud!Music
I find that they are really easy to remember, especially if the word
combination has some meaning to the user. I have been told that such
combinations are vulnerable to dictionary attacks. I think that they are
not vulnerable to dictionary attacks since the password is not a word, it
combines two words and is meaningless and can only be brute-forced.
Any input on that?
===========================================================================
National Organization for the Repeal of the Federal Reserve: www.norfed.org
The Foundation for the Advancement of Monetary Education: www.fame.org
E-gold: A privately issued e-currency backed by metals: www.e-gold.com
Principia Publishing: www.principiapub.com
===========================================================================
------------------------------
From: [EMAIL PROTECTED] (Steve K)
Subject: Re: Swapfile Overwriter: R.I.P.
Date: Tue, 22 Feb 2000 23:39:15 GMT
On Tue, 22 Feb 2000 05:48:54 GMT, [EMAIL PROTECTED] (Dave
Hazelwood) wrote:
>Steve,
>
>Then SecureClean is what you want. It does it all including
>shutting down to DOS to clean the swap file.
>
>www.AccessData.com
Yikes! Fifty dollars U.S. to automate three routine commands (erase,
erase files on task list, and wipe swap file) that run via freeware?
The only thing left out with Eraser and Scorch that Secure Clean
covers is temp files that are deleted by the applications that write
them-- and if that worried me, I would move these apps into Scramdisk
containers and have done with it. That's more secure than "secure"
deletion anyway.
Secure Clean looks OK to me-- but way, far, absurdly too expensive.
And something about endorsements by police forensics people definitely
creeps me out. IMO they would be the absolute last people to trust,
since it's their job to recover data against the user's will: "Use
this software, it will stop my investiagations dead in the water,"
somehow just doesn't sound like a very professional thing for a
computer cop to say. If it was true, that is...
Actually, I'm quite satisfied with Eraser and Scorch. I was just
hoping for something free & easy to use that I could point the new
kids at. Never mind...
:o)
Steve
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
PGP key 0x5D016218
All others have been revoked.
------------------------------
From: [EMAIL PROTECTED] (Omar Y. Inkle)
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 23 Feb 2000 00:18:50 GMT
Ilya <[EMAIL PROTECTED]> wrote:
>Is it secure to take two words and join them together, such as:
>crypto/life cyber@machine green-dog Loud!Music
That's a popular way to construct passwords, and because of that it's less
secure. In general, the more popular a password selecting strategy gets,
the less secure it becomes. In my opinion, the best way to select a good
password is...
Uh, never mind.
--
"Omar Y. Inkle" is actually [EMAIL PROTECTED] (1579 624803).
0123 4 56789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Stuck on code-breaking problem - help appreciated
Date: Tue, 22 Feb 2000 23:13:32 GMT
jdc wrote:
> It's in the front cover of an old society records book (1860-1888)
Masonic? Perhaps some FreeMason could assist.
> ... it *may* be upside down.
But then the dots would precede words instead of following them,
which doesn't seem likely.
------------------------------
From: [EMAIL PROTECTED] (ChenNelson)
Subject: Re: John McCain Encrypt?
Date: 23 Feb 2000 00:26:29 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
The "junk" looks a lot like the garbage that a Hipcrime has been
spewing periodically to newsgroups he/she/it does not like. I doubt it
is actually an encrypted message. I'm willing to guess this bozo (or
ones similar, don't like McCain).
Later,
Nelson Chen
=====BEGIN PGP SIGNATURE=====
Version: PGP for Personal Privacy 5.5.2
Comment: For public key, go to key server with key ID 0xD28C0DD9
iQA/AwUBOLMpwm1ACZTSjA3ZEQJhLwCfePQgyzjU8klaPpXBSJfEkMbW1ScAni5d
83UCjsUtB1ufXo3tinRfzJOg
=yb9g
=====END PGP SIGNATURE=====
==========================
To earn $0.05 per clickthrough from your web page, please go to
http://www.3wmart.com/ and sign up for our button banner program.
------------------------------
From: "John Galt" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Wed, 23 Feb 2000 00:55:26 GMT
The best password is one that isn't a password, but a passphrase instead. It
should consist of upper and lower case letters, numbers, and symbols, all of
which should be randomly chosen. The secure passphrase should be at least 16
characters long. You should never write it down, commit it to memory only.
You should never share it with anyone, unless you absolutely have to. If you
are looking for a password that is easy for you, then you must also realize
that it will be relatively easy to attack.
------------------------------
Reply-To: "Clockwork" <[EMAIL PROTECTED]>
From: "Clockwork" <[EMAIL PROTECTED]>
Subject: Re: Processor speeds.
Date: Wed, 23 Feb 2000 01:08:30 GMT
"Joseph Ashwood" <[EMAIL PROTECTED]> wrote in message
news:ehvbDuYf$GA.266@cpmsnbbsa03...
> The problem I see is the available memory, generally <=8MB
> Joe
The newer systems are nearly as expandable as an average PC. The newer
consoles will definitely position its ultra-powerful "game" systems as
workstations -- or home-computing devices. (Why WAIT for renders or
simulations [or factorizations] on a PC, when you can do it in real-time on
a console :)
All newer, 128-bit consoles support vastly increased RAM capacity, network
cards, modems, keyboards, VR devices, and force-feedback; more will be
available shortly after the release of these consoles.
Another question: When was the last time your console crashed?
Clock
------------------------------
From: "Martin Paquet" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Tue, 22 Feb 2000 20:12:11 -0500
Go to http://www.webattack.com/freeware/security/fwantihack.shtml and try
the Password freeware tool. It's a small DOS program that challenges
password strings you provide against dictionary attacks and brute force
attacks. It's crude but interesting.
"Ilya" <[EMAIL PROTECTED]> wrote in message
news:zZEs4.2145$[EMAIL PROTECTED]...
>
>
> Is it secure to take two words and join them together, such as:
>
> crypto/life cyber@machine green-dog Loud!Music
>
> I find that they are really easy to remember, especially if the word
> combination has some meaning to the user. I have been told that such
> combinations are vulnerable to dictionary attacks. I think that they are
> not vulnerable to dictionary attacks since the password is not a word, it
> combines two words and is meaningless and can only be brute-forced.
>
> Any input on that?
>
>
>
===========================================================================
> National Organization for the Repeal of the Federal Reserve:
www.norfed.org
> The Foundation for the Advancement of Monetary Education:
www.fame.org
> E-gold: A privately issued e-currency backed by metals:
www.e-gold.com
> Principia Publishing:
www.principiapub.com
>
===========================================================================
>
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Processor speeds.
Date: Wed, 23 Feb 2000 01:18:03 -0000
> Another question: When was the last time your console
crashed?
You don't really want me to answer that, my console is 9 1/2
years old and has slowly developed a hardware problem.
Joe
------------------------------
From: Ilya <[EMAIL PROTECTED]>
Subject: Re: Passwords secure against dictionary attacks?
Crossposted-To: comp.security.misc,alt.security.pgp
Date: Wed, 23 Feb 2000 03:14:05 GMT
In alt.security.pgp Martin Paquet <[EMAIL PROTECTED]> wrote:
> Go to http://www.webattack.com/freeware/security/fwantihack.shtml and try
> the Password freeware tool. It's a small DOS program that challenges
> password strings you provide against dictionary attacks and brute force
> attacks. It's crude but interesting.
There is a zip file for Windows only. I cannot use it. Thanks anyway.
I was just wondering about that strictly in terms of brute-forcing
it.
===========================================================================
National Organization for the Repeal of the Federal Reserve: www.norfed.org
The Foundation for the Advancement of Monetary Education: www.fame.org
E-gold: A privately issued e-currency backed by metals: www.e-gold.com
Principia Publishing: www.principiapub.com
===========================================================================
------------------------------
From: Arthur Dardia <[EMAIL PROTECTED]>
Subject: Re: Velvet Sweat Shop in Excel
Date: Tue, 22 Feb 2000 21:51:19 -0500
"John E. Kuslich" wrote:
> I think this newsgroup IS a good place for this message and I welcome the
> message.
>
> This is NOT a security hole in Excel. It is an AutoRun Macro that is built
> into Excel. The password "VelvetSweatshop" is used as normal to encrypt
> the Excel file. The encryption algorithm, is the same as is normally used
> with Excel. The unicode password "V.e.l.v.e.t.S.w.e.a.t.s.h.o.p" is MD5
> hashed with a bunch of other data and the first five bytes of the hash are
> used as an RC4 key along with a modulo eight counter byte.
>
> Excel checks the password entered by the user when saving the file with a
> string value stored in the resource section of the Xlintl32.dll which is
> part of Office97. If the values correspond, the file is encrypted as normal
> but the file will auto open using this password.
>
> This macro is interesting from two standpoints:
>
> 1) It shows how utterly insecure a PC is because this code could have
> easily been a trojan, deeply hidden in the official Microsoft looking code,
> ready to spring into action on command. Users of cryptographic software
> beware!!!!
>
> 2) You can easily change the "Magic" password to anything you want. Just
> use a hex editor to change the string "VelvetSweatshop" to "KissMyButt" or
> "BillisQueer" any other valid password string. So wouldn't it be fun to
> alter the Xlintl32.dll on your machine so it opens any Excel file that uses
> your boss's favorite password??
>
> When it comes to software, don't trust it!
>
> JK
>
Especially fun when you open the payroll file and you pad your check amount with
a few zeros.
Well, we can dream, can't we?
>
> seifried <[EMAIL PROTECTED]> wrote in message
> news:voBs4.6024$[EMAIL PROTECTED]...
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > > Hello!
> > >
> > > When you save .xls file (Excel 97 & 2000) with password
> > > 'VelvetSweatshop' and next try to open this file, the password will
> > > not be asked. It's not a serious bug, I think, but the question is:
> > > WHY???
> > > SY / C4acT/\uBo Pavel Semjanov
> > > _ _ _ http://www.ssl.stu.neva.ru/psw/
> > > | | |-| |_|_| |-| 2:5030/145.17@fidonet
> >
> > I don't think this is the right newsgroup, but having said that. He's
> > right.
> >
> > Create a spreadsheet, enter some data, save it, hit options, give it
> > a password (say "test"). Close and open it, enter blank, it'll toss
> > you and mention capslock, open it, give the right password, ok it
> > works. Now save it, hit options, and use the password
> > "VelvetSweatshop", close it and open it, hit enter (i.e. do not enter
> > a password) and yeah, it opens it. And you can modify and save it (I
> > also put the write protect password on it using "VelvetSweatshop").
> > So there's at least one backdoor in Excel as far as password
> > protected files go (but the password protection is pretty weak and
> > almost useless in any case).
> >
> > I guess it prooves that you should use products actually designed to
> > secure data, and not the feature add-ons that various packages have
> > to "protect" your files.
> >
> > http://www.securityportal.com/research/cryptodocs/basic-book/index.htm
> > l
> >
> > Covers most of your options for Windows, Linux, etc for
> > files/email/yadayada.
> >
> > I wonder what other passwords exist.
> >
> > Kurt Seifried - Senior Analyst
> > http://www.securityportal.com/
> > http://www.cryptoarchive.net/
> > http://www.seifried.org/
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.3
> >
> > iQCVAwUBOLLjCTUsc05KUv5VAQHrDAP6AwvIohZFlkhS/YfLmlCRftTLF/umQplJ
> > R6GzYwlAT0gwQTDNdcOXET4GPH97oEts1E+mibP8BDH2prqHn+gWN4MDi+PbJIaM
> > oTVMx6cZValYf5T1LjQjcVJFi7jQMT+bdufPdTiVJg6YkZaJW4ElHm5bT0iLR21Y
> > lrMtlmXblP0=
> > =ITaD
> > -----END PGP SIGNATURE-----
> >
> >
> >
--
Arthur Dardia Wayne Hills High School [EMAIL PROTECTED]
PGP 6.5.1 Public Key http://www.webspan.net/~ahdiii/ahdiii.asc
------------------------------
From: "NutWrench" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,alt.security.pgp
Subject: Re: Passwords secure against dictionary attacks?
Date: Tue, 22 Feb 2000 23:56:27 -0500
Ilya <[EMAIL PROTECTED]> wrote in message
news:zZEs4.2145$[EMAIL PROTECTED]...
>
>
> Is it secure to take two words and join them together, such as:
>
> crypto/life cyber@machine green-dog Loud!Music
>
> I find that they are really easy to remember, especially if the word
> combination has some meaning to the user. I have been told that such
> combinations are vulnerable to dictionary attacks. I think that they are
> not vulnerable to dictionary attacks since the password is not a word, it
> combines two words and is meaningless and can only be brute-forced.
>
> Any input on that?
Hi Ilya,
One way to have a easily-remembered password that defeats dictionary based
attacks is to enter your passphrase, but press the key which is above and to
the left or right of the actual key. For example, if your password is
'bullwinkle', instead of pressing 'b' press 'h' (above and to the right).
The typed text for 'bullwinkle' would then be: 'h8pp39jop4' :o)
--Nut
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
